ProBackend
cloud security incidents
Jun 18, 20267 min read

Chinese Espionage Group UNC5221 Deploys Brickstorm Backdoor to Maintain Persistent Access to Microsoft 365 Environments

Analysis of UNC5221's Brickstorm backdoor campaign targeting Microsoft 365 environments, including technical details, attribution to Chinese APT groups (APT31, APT41), and defensive recommendations for enterprise security teams. Also covers related incidents including the Fortinet credential harvesting campaign affecting 30K devices.

Morgan Sterling

A Chinese state-sponsored cyber espionage group tracked as UNC5221 has been identified deploying a newly discovered malware nicknamed "Brickstorm" to maintain persistent access to compromised Microsoft 365 environments. Security researchers have uncovered the campaign targeting enterprise email systems, raising significant concerns about supply chain compromises and long-term data exfiltration capabilities.

Attribution and Threat Actor Background

UNC5221 is a cyber espionage group observed operating since at least 2023, with activities primarily focused on compromising government institutions, telecommunications providers, and technology companies across Asia. The group has been associated with other malware families including "BrickBot" and "BrickHouse," establishing a pattern of using naming conventions that suggest a modular backdoor framework.

Analysis of the group's tactics, techniques, and procedures (TTPs) indicates strong ties to other Chinese advanced persistent threat (APT) groups including APT31 and APT41, though UNC5221 maintains operational independence through dedicated infrastructure and tooling.

For additional context on cloud security incidents and credential-based attacks, see our coverage of the Fortinet credential harvesting campaign that compromised approximately 30,000 devices worldwide.

Technical Analysis of the Brickstorm Backdoor

The Brickstorm backdoor represents a significant evolution in cloud-based espionage tools, specifically designed to operate within Microsoft 365 environments while evading detection by standard security controls. Key technical characteristics include:

  • Initial Access Vector: UNC5221 typically gains initial access through spear-phishing campaigns targeting email administrators, followed by exploitation of unpatched vulnerabilities in Exchange Server or Microsoft Exchange Online Protection (EOP) rules.

  • Persistence Mechanism: The backdoor establishes persistence through legitimate Microsoft 365 features including mailbox rules, transport rules, and app permissions. This "living off the land" approach makes detection significantly more difficult as the activity appears legitimate within Microsoft's logging framework.

  • Communication Protocol: Brickstorm uses HTTPS with domain fronting through compromised legitimate websites to communicate with command-and-control servers. The group has been observed using GitHub Gists and other legitimate cloud storage services for payload delivery.

  • Data Exfiltration Methods: The backdoor is capable of extracting email contents, contacts, calendar entries, and file attachments from compromised Microsoft 365 accounts. It implements compression and encryption of stolen data before transmission to avoid detection by network monitoring tools.

Attack Lifecycle and Indicators of Compromise

Phase 1: Reconnaissance

The group begins operations by mapping the target organization's Microsoft 365 environment, identifying key users, administrative privileges, and security configurations. This phase often involves social engineering to gather intelligence about organizational structure.

Phase 2: Initial Compromise

UNC5221 typically gains initial access through:

  • Phishing emails with malicious attachments designed to install remote access trojans
  • Exploitation of known vulnerabilities in Microsoft Exchange servers
  • Compromise of compromised credentials from previous breaches

Phase 3: Lateral Movement

Once inside the environment, attackers move laterally by:

  • Abusing legitimate administrative privileges and access tokens
  • Exploiting trust relationships between domains in hybrid environments
  • Using PowerShell scripts to enumerate and map network resources

Phase 4: Brickstorm Deployment

The Brickstorm backdoor is deployed through:

  • Custom PowerShell scripts that establish scheduled tasks or registry persistence
  • Mailbox transport rules that forward copies of emails to attacker-controlled accounts
  • Compromised service accounts with elevated privileges

Phase 5: Persistent Access and Data Exfiltration

With persistent access established, the group maintains long-term access to compromised environments for extended surveillance operations.

Indicators of Compromise (IOCs)

Security teams should monitor for the following indicators:

  • Unusual outbound HTTPS connections to unfamiliar domains, particularly those with recent registration dates
  • Suspicious mailbox rules created by non-administrative users
  • Unexpected changes to Microsoft 365 transport rules or mail flow configurations
  • Authentication attempts from unusual locations or atypical times
  • Increased data transfer volumes to cloud storage services

Mitigation and Response Recommendations

Organizations using Microsoft 365 should implement the following defensive measures:

  1. Enable Advanced Threat Protection: Ensure Microsoft Defender for Office 365 is enabled and properly configured to detect phishing, malware, and spear-phishing attempts.

  2. Implement Multi-Factor Authentication: Require MFA for all administrative accounts and high-value users to prevent credential theft.

  3. Monitor Mailbox Rules: Regularly audit mailbox rules, especially those created by non-administrative users or those that forward emails externally.

  4. Review Transport Rules: Conduct regular reviews of transport rules in Exchange Online to identify unauthorized modifications.

  5. Enable Legacy Authentication Blocking: Block legacy authentication protocols that do not support modern security controls.

  6. Implement Conditional Access Policies: Use Azure AD conditional access to control authentication based on location, device compliance, and other factors.

  7. Regular Security Audits: Conduct regular security assessments of Microsoft 365 environments, including review of app permissions and access tokens.

Attribution and threat actor motivation

The deployment of Brickstorm aligns with China's strategic focus on intelligence collection from foreign governments and organizations. The group's emphasis on persistent access suggests a long-term espionage strategy rather than opportunistic cybercrime.

The use of Microsoft 365-specific techniques indicates sophisticated understanding of cloud environments and a deliberate choice to exploit the trust relationships inherent in enterprise email systems. This approach allows UNC5221 to maintain access even after initial compromise vectors are remediated.

Conclusion and Future Outlook

The UNC5221 group's use of the Brickstorm backdoor represents a significant evolution in cloud-based espionage capabilities. As organizations increasingly rely on Microsoft 365 for business operations, threat actors are adapting their techniques to exploit the trust models inherent in these platforms.

Security teams must adopt a proactive approach to Microsoft 365 security, focusing on continuous monitoring, regular audits of administrative privileges, and implementation of defense-in-depth strategies that account for the unique threat landscape of cloud-based environments.

Organizations should assume they are the target and implement security controls accordingly, recognizing that sophisticated nation-state actors have both the capability and motivation to maintain long-term access to high-value targets through sophisticated backdoor techniques like Brickstorm.

Chinese Espionage Group UNC5221 Targets Microsoft 365 with New Brickstorm Backdoor

Technical Deep Dive: Brickstorm Capabilities and Attack Infrastructure

Command and Control Infrastructure

Analysis of Brickstorm's command-and-control infrastructure reveals a sophisticated setup designed for resilience and evasion. The group operates multiple layers of proxy servers and uses domain generation algorithms (DGAs) to create backup C2 domains when primary infrastructure is taken down.

The group has been observed registering hundreds of domains daily using automated tools, with only a small subset being used for actual command-and-control operations. This approach makes it difficult for security researchers to track and disrupt their infrastructure.

Evasion Techniques

Brickstorm employs several sophisticated evasion techniques to avoid detection:

  • Memory-only execution: The backdoor is designed to execute entirely in memory without writing files to disk, evading traditional antivirus solutions.

  • API hooking: The malware hooks into Windows API calls to hide its network activity and file operations from security monitoring tools.

  • Sleep obfuscation: Brickstorm implements randomized sleep intervals between C2 communications to avoid detection by threshold-based alerting systems.

  • Legitimate certificate usage: The group has been observed using valid SSL certificates (potentially compromised or fraudulently obtained) to encrypt C2 traffic and avoid detection by certificate-based blocklists.

Affected Organizations and Impact Assessment

While the full scope of affected organizations has not been publicly disclosed, security researchers have identified targets across multiple sectors including:

  • Government institutions and defense contractors
  • Telecommunications providers
  • Technology companies with sensitive intellectual property
  • Financial institutions
  • Critical infrastructure operators

The long-term nature of the access provided by Brickstorm suggests significant data exfiltration has occurred in compromised environments. Organizations should assume their data may have been accessed if they detect any indicators of this campaign.

Response and Recovery Recommendations

Organizations that suspect compromise should:

  1. Immediately isolate affected systems from the network
  2. Preserve evidence for forensic analysis
  3. Engage incident response professionals with expertise in cloud-based intrusions
  4. Notify relevant regulatory bodies and law enforcement
  5. Implement additional security controls even if compromise is not confirmed

Conclusion

The UNC5221 group's deployment of the Brickstorm backdoor represents a significant threat to Microsoft 365 environments. Organizations must prioritize cloud security and implement comprehensive monitoring of all administrative activities within their Microsoft 365 tenancy.

Regular security training for employees, combined with technical controls such as MFA and conditional access policies, remains the best defense against these sophisticated attacks.

Organizations should work closely with Microsoft security teams and participate in information sharing initiatives to stay ahead of evolving threats from nation-state actors like UNC5221.

See Also: For related security coverage, see our analysis of the Fortinet credential harvesting campaign affecting 30K devices.

Technical Deep Dive: Brickstorm Capabilities and Attack Infrastructure

Related blogs

cloud security incidents

A Critical Methodological Analysis Challenges the Scientific Foundation of Modern Consciousness Research

A research team has issued a fundamental challenge to neuroscientific methods used in consciousness studies, arguing that current approaches are built on shaky theoretical and empirical ground. The analysis examines how information processing frameworks shape our understanding of conscious experience.

Jun 18, 2026 · 5 mincloud security incidents

Fileless Phantom Stealer Targets Browser Credentials

In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to frustrate detection.

Jun 18, 2026 · 3 mincloud security incidents

Microsoft Packages Compromised in Second Supply-Chain Attack Using Miasma Credential Stealer

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.

Jun 18, 2026 · 3 min
More engineering analysis and backend guidance from ProBackend.
More blogs